32 Pages Posted: 22 Oct 2011 Last revised: 21 Feb 2012
Date Written: December 17, 2010
Few enterprise operational areas present as much inherent risk or prove as difficult to govern as Information Technology (“IT”). To be successful, IT governance requires enterprise commitment at the very top. Boards and executive management need to extend governance, already exercised over the enterprise, to IT by way of an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery, and resource management. IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. Simply put, IT governance and the effective application of an IT governance framework are the responsibilities of the board of directors and executive management. An IT governance framework, such as Control Objectives for Information and related Technology (COBIT) can be a critical element in ensuring proper control and governance over information and the systems that create, store, manipulate and retrieve it. But these risks do not have to be shouldered by the company alone. Many can be transferred to or shared with insurance.
Every Governance and Nominating Committee must access its current inventory of director skill sets to require IT expertise. One choice will be to have and include IT expertise within a dedicated Risk Committee. Best practice for many will dictate that an audit committee include IT expertise and be composed of a qualified vice chairman, familiar with the company’s particular audit issues by virtue of experience gained from audit committee service. This will help provide an instant replacement for the committee chair should unexpected developments require. Therefore, every board should have at least two qualified financial experts populating the audit committee and seek IT expertise and experience in director recruitment to help avoid and address the costly private and regulatory lawsuits related to cyber issues that increasingly facing companies. Every board’s challenge in addressing IT risk is ongoing vigilance and recognition of the mission critical nature of Information Technology to the enterprise.
Keywords: Audit Committee, Business Continuity Planning, Business Judgment Rule, Chief Information Officer, Corporate Governance, Cybersecurity, Disaster Recovery, Disclosure, Dodd-Frank, Duty of Care, Duty of Loyalty, E-Commerce, Enterprise Systems, Hacking, Information Architecture, Information Security
JEL Classification: C88, G34, G38, H56, K22, K42, L21, L86, M10, O30, O32, O33, O38
Suggested Citation: Suggested Citation
Trautman, Lawrence J. and Altenbaumer-Price, Kara, The Board’s Responsibility for Information Technology Governance (December 17, 2010). John Marshall Journal of Computer & Information Law, Vol. 29, p. 313, 2011. Available at SSRN: https://ssrn.com/abstract=1947283